Corsair warns of Padlock 2 security glitch

Data security alert

Corsair has discovered a security problem which could expose data on its Flash Padlock 2 USB Flash drive. The company says the security issue is able to be fixed by the user of the Padlock drive, which uses a keyboard and programmable personal identification number or PIN to allow users to protect their data.

Currently, it seems, if a user presses Key and 0/1 for more than three seconds, the Padlock will erase the password without deleting the data on the drive, presenting a security risk. However, this apparently only happens once so if users follow the stages suggested by Corsair then set the password again, it will apparently be hunky-dory.

Corsair warns, while the procedure is not destructive, users are recommended to back up their data. Its instructions are as follows:

Drive must be in a LOCKED state. If the drive is plugged into a system, remove it.

Press and hold the KEY button and the 0/1 button down, simultaneously, for five or more seconds.

Release the KEY and 0/1 buttons. Note that at this stage your password MAY have been erased, but data will still exist on the drive.

Wait until any LEDs are no longer illuminated or blinking

Press and hold the KEY button for three seconds. Both red and green LEDs will illuminate

Enter a new PIN using the PIN keys. A user PIN may be 4 to 10 digits long; for security, Corsair recommends 6 digits or more.

Press and release the KEY button. Both red and green LEDs will blink in unison.

Re-enter your PIN to confirm.

Press and release the Key button. Green LED will flash, indicating your PIN has been accepted.

Your drive is now secure.

Corsair says the procedure must be followed in its entirety to ensure the security of the drive. Assistance is available from Corsair's technical support, which can be reached by telephone, email or accessing the helpdesk.

IMO Corsair should stick to what they do best - PSUs, RAM, etc, this is the second secure device they've made and the second time they've messed up. It's no good releasing a fix later, what about all the devices that have already been stolen, waiting for something like this to crack into them? Leave security to the security companies - bad security is worse than no security, people will entrust more sensitive data to a device they believe is totally secure so risk losing more. Is the relatively tiny profit they make on these compared to their other products worth potentially ruining peoples' lives depending on the data they might lose? I'm not saying no companies ever make mistakes, but it's annoying to say the least that something this trivial wasn't picked up in testing, the same goes for the first one…